Compliance Perspectives

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Few relationships are as difficult, important, and filled with risks as those with regulators.  Get them right and even a bad situation can be better.  Get them wrong, and situations can quickly spiral out of control. Gabe Shawn Varges, Senior Partner in the Swiss offices of HCM and Director of Compliance Studies at the University of St. Gallen, knows the dynamic well, having served with FINMA, the Swiss financial markets regulator.  In this podcast, he provides his advice for ensuring your relationship with regulators starts on the right foot and stays on the right front. Among his pieces of advice: * Avoid overly legal thinking and taking an adversarial approach * Invest in the relationship and build trust when before issues arise * Appreciate that regulators are human, and trying to juggle multiple responsibilities * Stay tough on the problem but not on people Listen in to learn more and, hopefully, pave the way for a healthier relationship with your regulators.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Joseph Agins, Compliance Officer for Sam Houston State University in Texas isn’t a big fan of sitting behind the desk.  Instead he believes in what he calls “compliance by wandering around.”  As he explains in the podcast, that doesn’t mean roaming the halls endlessly.  It’s much more strategic than that. It includes meeting with employees, compliance partners and management so that the compliance team has a better idea of what people are doing, while at the same time providing an opportunity to demonstrate the value proposition of compliance. It is also an opportunity to break down barriers and truly listen to people, understand what they do, provide assistance and get better results, including making the workforce more comfortable about bringing issues to compliance.   Likewise, it’s easier to hear about problems when you are out and about. Listen in to learn more about how to wander purposefully.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org The European General Data Protection Regulation (GDPR) has kept compliance officers busy for the last few years, and has kept consumers clicking “I Accept” more than they ever imagined. For those thinking the wave of work is over, it’s time to think again.  The California Consumer Privacy Act (CCPA) is due to go into effect on January 1, 2020 with enforcement beginning July 1.  As Teresa Troester-Falk, Chief Global Privacy Strategist for Nymity explains, the law applies to more than businesses based in California.  It affects any business that processes data of California residents and has either $25 million or more revenues, shares or sells data for commercial purposes on 50,000 or more California residents or gains 50% or more of its revenues from selling consumer information.  That’s a low enough threshold to affect a sizable portion of the business community. The good news is that any business that has already worked to meet the GDPR’s mandates has gone a long way to matching the requirements of the CCPA.  The law focuses, she explains, on the obligations to protect consumer rights.  But, it breaks new ground by giving consumers the right not to have their data sold to third parties.  In addition, if a consumer requests an organization deletes information it has on him or her, that organization must also pass that request down to third parties that it has provided data to. More, California is not alone.  Several other states have laws in various stages of the legislative process.  As a result, business must be prepared for future regulations that will affect how they handle consumer data. Listen in to learn more about the CCPA’s requirements, and what organizations need to do to meet them.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org The French Commission Nationale de l’Informatique et des Libertés, better known as CNIL, is one of the foremost authorities in Europe and globally when it comes to the protection of individual data.  With the implementation of GDPR, the stakes have been raised and more companies will find themselves under the microscope of CNIL and other data regulators. Noémie Lichon, the Head of Sanctions and Litigation at CNIL, sat down for a podcast in which she discussed CNIL’s mission, activities, expectations and common problems that affect organizations that hold consumer data. As she explains, the mission of CNIL is to ensure that data privacy law is applied to the collection, use, and storage of personal data.  CNIL informs individuals of their rights under the laws of France and GDPR.  In addition, it provides guidance to businesses and other organizations on how to ensure that they comply with data laws.  It can also levy penalties, including in January 2019 a €50 million fine of Google. Take the time to listen in as she shares: * Data on complaints, investigations, and sanctions * Common problems that lead to security breaches * The importance of compliance to security practices * GDPR expectations for response times from data controllers * The Google case * CNIL’s key priorities for the immediate future Also, be sure to take advantage of the resources she refers to in her podcast, all available on the CNIL website: Guide:  Security of Personal Data Guidelines on Transparency Guidelines on Consent Presentation of the 2018 Activity Report and 2019 Issues of the French Data Protection Authority

By Adam Turteltaub adam.turteltaub@corporatecompliance.org May 2, 2019 saw the release by the US Department of the Treasury’s Office of Foreign Asset Control (OFAC) of a watershed document:  A Framework for OFAC Compliance Commitments.  As Gibson & Dunn partner Judith Alison Lee explains in this podcast, this is the first time that OFAC has issued guidance for compliance programs.  With its publication, organizations with OFAC compliance programs will find a valuable new resource, and those without a program will have a harder time explaining to the treasury why they should still receive a reduction in their fines. The contents of the new OFAC guidance should not be surprising to anyone familiar with sanctions compliance, Ms. Lee explains.  OFAC expects companies to be able to demonstrate senior management commitment to compliance, a risk assessment, risk-based approach, internal controls and training of employees. The real challenge will be, as with other compliance efforts, having the controls integrated into business processes.  One business process that OFAC will be paying particular attention to:  the onboarding of new customers.  Businesses are expected to do what it takes to identify the customers’ owners and see if they are listed as a designated party or entity.  That’s much more granular than the typical FCPA-third party screening. Listen in to this podcast to learn more about what OFAC has to say about compliance programs.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Few corporate scandals begin in isolation with one person perpetrating a crime that absolutely no one else in the entire organization knew anything about.  More often, people saw something and feared speaking up. For Josh Toas, Vice President of Compliance and Chief Compliance Officer for the Research Foundation for the State University of New York (SUNY), compliance is about more than the compliance team being willing to say “no” when it sees something wrong.  It’s about the entire organization feeling just as empowered. The challenge, he reports, is that it is too easy for people to hold their tongue.  Employees either don’t know how to frame the conversation, fear retribution, wait until a decision has already been made, or until they are angry.  Many also feel it just isn’t worth it.  They want to just get along or believe that they are not paid enough to take the risks inherent in saying no to people in power. To meet this challenge Josh offers several pieces of advice for the compliance team and the workforce as a whole.  These include avoiding confrontations when already angry, not sweating the small stuff, and helping people realize that everyone makes mistakes. Listen in to learn more about how to handle confrontations professionally, and how to teach your workforce to do so as well.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Helplines are ubiquitous these days, but do they help?  Recent research co-authored by Kyle Welch, an Assistant Professor of Accountancy at George Washington University’s business school, is very promising.  As he explains in this podcast, his research, which used data helpline provider NAVEX Global, found that firm that have active helplines generally have higher quality corporate governance and earning reports. Some may find this counterintuitive, thinking that more calls are a sign of trouble.  Instead, his research revealed, it is more probably a sign of a healthy work environment and business. Listen in to hear more of his data, and to help make the business case for investing in compliance and ethics.  Also, be sure to download a copy of his research.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org The world has grown enamored with Big Data and the promise of Artificial Intelligence (AI).  As the next big thing, many believe that it will be transformative for business, and even medicine, exposing patterns that humans miss, and enabling far better decision making. But over the last few months, there has been a shift in the discussion as cases of less than compliant and not exactly ethical decisions were being made by the algorithms behind AI, reports Deborah Adleman, a Director with Ernst & Young LLP where she is the US and America’s Data Protection Leader and an executive within the Office of Ethics and Compliance and Risk Management. In this podcast she reports that at least one case gender bias started to emerge, and people from certain ethnic backgrounds were being precluded from hiring due to zip code-based decision making. This should set off alarm bells for compliance and ethics teams. To help manage the risk, she recommends not blindly trusting the AI.  Compliance teams should take the time to consider four areas that are important for generating trust in the AI solution: * Ethics: Does the solution agree with the values, mission and code of the organization? * Social Responsibility: Does it have potentially negative social implications? * Accountability: Is there clarity as to how the AI operates and the decisions it is supporting * Reliability: Has it been tested rigorously? Even before that, she advises compliance professionals to invest the time in understanding AI and the emerging rules:  both the European Commission and OECD have already issues AI principles. Listen in to raise your own intelligence level about Artificial Intelligence.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Walk around most corporate compliance conferences and you’ll see people from virtually every industry, save one:  financial services.  Banks and the entire securities industry are largely absent, and yet, they have very extensive compliance programs. Don Griffith, who is Head of Financial Crimes & Fraud Prevention Compliance for MassMutual, has unique insight into this issue.  He has worked in private practice, corporate compliance, financial services compliance and at the Securities & Exchange Commission. As he explains in this podcast, the two compliance worlds have a very different perspective.  While corporate compliance tends to begin with a very broad view, starting from the approach outlined in the US Federal Sentencing Guidelines, financial services compliance programs were built to meet the need to comply with very specific regulations and securities law. While these approaches are very different, there is much that each side can learn from the other, Don believes.  The financial services practice of digging down into business products and processes, for example, can be very instructive for corporate compliance efforts.  Likewise, the focus on ethics and the big picture issues in corporate compliance programs can provide lessons for financial services. Listen in to learn more about how both financial service compliance professionals and corporate compliance professionals could benefit from each other’s expertise.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org You’ve just been offered a new job, or you’ve just offered a candidate a new position on your team.  Then the job seeker would like to negotiate on salary.  If it goes right, everyone is happy.  If it goes wrong, the hire may not be made, or the relationship could get off on a very wrong foot. Steve Harrison, a partner at compliance executive search firm Conselium, reports that one of the greatest myths when it comes to hiring is that it is necessary to negotiate salary in the first place.  While many believe that it is expected, that’s not true.  In fact, it is perfectly acceptable and not a sign of some deficiency for a candidate to say yes to the offer, consider it a win and move on. Sometimes, though, there is a need for some back and forth on salary, vacation time or other benefits.  In those cases, he advises in this podcast, it should never be done emotionally.  It’s important for both sides to recognize that this is a business conversation.  Have facts to back up your case and both sides should have a “yes” number and a “no” number in mind. Another myth:  that the candidate should disclose his or her current salary.  In some jurisdictions that may not be required, but wherever the conversation takes place it is very helpful for there to be clarity on the candidate’s side of what his or her expectations are.  If that conversation doesn’t take place early enough, a great interviewing process may all be for naught. Another way for hiring to go awry:  the hiring manager hands off the negotiation and final details to HR or some other part of the organization to handle.  It’s critical to stay involved so that whoever is handling things for the company understands why the person was recruited and the value that they can bring to the organization. Whether you are looking for a new job or looking to hire, listen in to learn more about how you can make the hiring process much easier, and less likely to go awry.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org When a compliance breach occurs, one would expect the compliance team to be a part of the crisis management team.  Crisis management expert James Green argues that compliance needs to be a part of the crisis management team regardless of the incident.  That’s because even a response to a natural disaster may have compliance implications. For example, if a flood makes your office inaccessible, it may seem just fine to have employees work from home.  But, what if they are interacting with personal data?  Is their home network secure enough to protect it or are you opening yourself up to the risk of a data breach? This edition of the Compliance Perspectives podcast also includes other important advice for managing a crisis, including: * Pick crisis committee members not based on their title but based on their knowledge of how the business works * Be sure your response is a fit with your culture, or you may end up creating even more problems * Know in advance which authorities you need to contact, what method – mail, email, fax, phone – must be used, and by what date * Make sure you keep your employees informed about what’s going on; it’s better than them finding out through the media * Revisit your crisis plan regularly and test it periodically Listen in to the podcast now.  You’ll be glad you did when the next crisis hits.  

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Compliance success in a heavily-regulated industry likely means working hand in hand with the regulatory team.  Kasey Ingram, General Counsel and Chief Compliance Officer of ISK Americas, a global chemical company, knows this well.  Few industries are as regulated as the chemicals business. As he explains in his latest podcast, success for him and his compliance program begins with understanding what compliance and regulatory each can do best.  He focuses on looking at the big culture controls while the regulatory department, which has the very specific knowledge of all the details, deals with the day-to-day activities. To help ensure collaboration with regulatory, he advises that compliance be present, make sure people know who you are and are comfortable talking to you.  That way you go from the compliance guy to a person.  Second, build controls based on what people do and that both minimize interference and are easy to perform.  Finally, he advises that you do your best to know the rules:  if you can’t understand them you won’t have any credibility. Listen in as he also provides a process for building a regulatory compliance program that recognizes the risks, has proper controls in place and enjoys the support of key business leaders (even the ones who initially weren’t happy about it).

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Managing economic sanctions compliance is a hot topic these days.  The US Department of the Treasury’s Office of Foreign Assets Controls (OFAC) just released a new Framework for OFAC Compliance Commitments.  At the same time, the picture for Iranian sanctions seems to be changing daily. To help understand the issue, we sat down for a podcast with Kevin Braine, Kroll’s Regional Managing Director EMEA, Compliance Risk & Diligence. He explained that both the US and EU have been active in issuing sanctions, but that the US has proven a more active regulator, with very severe economic consequences possible for those who run afoul of sanctions regimes. Making matters more complex is that the sanctions may apply both to individuals (people and companies) and entire sectors.  In addition, there can be differences in sanctions regimes between the US and EU, with the EU (when we recorded this but that may have changed by the time you listen) taking a softer stance on Iran.  France has even offered to compensate French companies for doing business with Iran if fined by the US. To get a handle on the issue, understand where the US and EU stand on Iran and Russia.  In addition, know the sanctions regimes of other countries where your firm does business, Braine warns.  It’s also crucial to know who is the ultimate beneficial owner (UBO) of organizations you do business with.  That can be a great challenge in many countries, where ownership is opaque either intentionally or due to paper-based systems. Bottom line:  listen in, and tread carefully in the realm of sanction.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Conflicts of interests have likely been around as long as there have been people.  When mankind learned to use fire, there was probably a guy who made blankets who criticized fire as too dangerous as a source of warmth, not realizing he was conflicted, or hoping others wouldn’t figure it out. Despite the timelessness of them, businesses can’t afford to not manage conflicts of interest.  Brian Beeghly, co-founder, and CEO of Informed360, explains in this podcast that most companies today have at least a conflict of interest policy.  There, however, the paths diverge.  Some have no mechanisms for tracking conflicts, others rely on paper-based methods and some have moved to automated tools and processes. Brian argues that companies have to look at the disclosure process itself, starting with the timing.  Is it an annual event across the company or is it more personal and timed to when an employee starts working with a new customer or vendor, or assumes a new position in the company? Also, examine how easy it is for the employee to disclose their conflicts.  Not only should the actual process be simple, but employees should also have the training to understand what conflicts are. Listen in to learn more about how your organization can better manage conflicts of interest.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Is your hotline ringing enough or too much?  Are you getting too many calls in one risk area or country?  Not enough in another?  And is the telephone-based helpline really all you need anymore? To help answer these questions UK-based hotline provider Expolink recently released its fourth annual Whistleblowing Benchmarking Report.  In this podcast, Expolink Chief Executive John Wilson discusses some of the highlights with us. Notably, the data shows that picking up the phone, as opposed to using online channels, has declined considerably through the years.  And, while actual calls now account for less than half of all reports, there is still great value to them.  People often prefer and can be more forthcoming when there is another person on the other side of the line.  In addition, they are less likely to be anonymous. Listen in as we discuss this issue as well as additional findings including: * Whether the fear of malicious reports through anonymous channels is warranted * The number of calls that are HR-related rather than compliance-focused * The impact of the #MeToo movement on helpline contacts * The often substantial variations by country in the types of reported violations, use of anonymous vehicles and reporting methods * The rise in confidential reporting